The European Union’s Critical Entities Resilience (CER) Directive outlines new resilience obligations for organizations providing essential services across the EU.
By July 2026, Member States must identify “critical entities” across 11 sectors, including energy, transport, health, finance, and digital infrastructure. Once notified, organizations will have just 9–10 months to comply.
Compliance will require a comprehensive “all-hazards” risk assessment and the implementation of robust technical, organizational and security measures to ensure continuity of essential services. Given the Directive’s wide scope and compressed timeline, early preparation is essential for organizations likely to fall within scope.
If your organization provides essential services in the EU, the CER Directive will likely apply to you.
At the heart of the Directive is a shift in mindset: from asset-based risk thinking to ecosystem-based resilience. You’ll need to assess a wide range of risks and put in place the right technical, organizational and security measures to keep services running, even during disruption.
If your organization is identified as a critical entity, you’ll be required to:
These requirements go beyond previous legislation and will likely demand significant resources, governance updates and cross-sector coordination.
A key component of the Directive is Article 12, which mandates a comprehensive “all-hazards” risk assessment. Organizations must consider a wide spectrum of risks from natural disasters and pandemics to supply chain failures and cyber-physical attacks. Getting this assessment right is critical.
Its purpose is to help you focus on what truly matters: identifying the hazards most likely to disrupt essential services and directing attention and resources accordingly.
Precision matters because a key component of resilience is prioritisation. A well-calibrated risk assessment helps you distinguish between what’s urgent and what can wait. It enables you to build resilience where it counts, reduce unnecessary complexity and respond with confidence when disruption strikes.
Once you’ve identified your risks, Article 13 of the Directive requires you to implement “appropriate and proportionate technical, security and organizational measures” to ensure resilience. This includes taking preventative steps to reduce the likelihood of incidents, developing response and recovery plans to manage impacts and establishing business continuity strategies, such as alternative supply chains, to maintain operations during disruption.
But documentation alone isn’t enough. Real crises are high-pressure, chaotic and unpredictable. To meet the resilience standards set by the Directive, organizations should go beyond planning and validate their strategies through regular, realistic training, drills and exercises. Immersive, scenario-based simulations are emerging as best practice for testing resilience under real-world conditions. Without rigorous testing, there’s no true assurance that your measures will hold up when they’re needed most.
To meet the Directive’s requirements and build long-term resilience, consider these actions:
01
The earlier you begin, the more time you’ll have to act on the findings
02
Avoid over- or under-identifying risks by cross-checking your conclusions
03
Review your current arrangements and prioritise improvements
04
Update your plans regularly and make testing a routine.
The CER Directive should be treated as more than a regulatory hurdle. Instead, it can be a catalyst for stronger, smarter resilience. By acting early and focusing on precision, you can turn compliance into competitive advantage.
To explore how you can strengthen your resilience strategy ahead of the CER Directive deadline, get in touch with our specialists.
Useful links:
